Analysis
-
max time kernel
29s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:38
Behavioral task
behavioral1
Sample
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe
-
Size
2.0MB
-
MD5
2ac605b6aac40e5cae86863c959f341e
-
SHA1
e230f54fd40245c851401bd35a6d5617560df3c2
-
SHA256
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607
-
SHA512
02fb9e753778b303d91c692d15c8b9d29681a04024eeee723506b727f5c7d274ef7ef343b1c1cfab8934220e072356f58ad3bc894c62d2101600e842f347b3da
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exef97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exepid process 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe 2020 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe 2020 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe 2020 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe 2020 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.execmd.exedescription pid process target process PID 1080 wrote to memory of 2020 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe PID 1080 wrote to memory of 2020 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe PID 1080 wrote to memory of 2020 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe PID 1080 wrote to memory of 968 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe cmd.exe PID 1080 wrote to memory of 968 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe cmd.exe PID 1080 wrote to memory of 968 1080 f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe cmd.exe PID 968 wrote to memory of 2760 968 cmd.exe PING.EXE PID 968 wrote to memory of 2760 968 cmd.exe PING.EXE PID 968 wrote to memory of 2760 968 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe"C:\Users\Admin\AppData\Local\Temp\f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exeC:\Users\Admin\AppData\Local\Temp\f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f97484e95aacf21edc625644bb5c5ee62cdb2d7fcf7c5682882b90b3d3730607.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe